This web page describes the OpenPGP key signing policy for the following OpenPGP key:
|409AC31C||Matthew Wakeling (Home address)||AF2B 176C CF52 CC74 8F46 02BC F786 A9F1 409A C31C||signature|
This web page is signed by the key mentioned above with a detached signature, linked above. To verify the signature on this document, download this page and the signature, and run (assuming you are using GnuPG):
To view comments on OpenPGP keys that I have already signed, look in this directory.
I require that two things are proven to me in order for me to sign a key:
To satisfy the first requirement of proof, the person named in the key must meet me in person, and provide sufficient proof that they are that person. Sufficient proof requires one item from each of the following two lists. The first list comprises of supposedly "strong" proofs of identity.
To satisfy the first requirement of proof, the person named in the key must certify to me in person that they generated and now own the key in question. They must identify the key by its full fingerprint, which they must provide. It is not sufficient for them to glance their eyes over a copy of the fingerprint that I brought along and say "that's fine". In fact, I will usually not bring a copy of their key's fingerprint to the meeting. I highly recommend bringing pieces of paper (or business cards) with your own key fingerprint to hand out to people at a meeting.
To satisfy the second requirement of proof, I will send an email to each of the email addresses of uids that I am to sign, encrypted to the key that I am to sign. In the encrypted email, I will quote some fairly unguessable text (suggestions have been made to make use of RFC 1760, but that is not a requirement). I will expect the owner of the key to quote back to me that text, to prove that the email reached someone capable of using the key.
In the case of a signing-only key, I will send some random text in the clear to each of the email addresses, and expect the text to be sent back as part of a message that makes clear that the text is included in the message for the purpose of verifying the email address. The message MUST be signed by the key in question.
None of the random/unguessable text I use in this procedure will be of a form that one could object to signing, but even so, it is recommended that if you choose to sign text that someone else has provided, you specify that as part of the signed message.
If all the procedures above are followed fully, then I will sign the key with a trust level of 3.
However, sometimes it may not be possible to follow the procedure completely properly. This may happen for example at a keysigning party, where I may not be able to inspect all the identification I wish to. In these circumstances, I will sign keys with a trust level of 2. I will not sign keys without a reasonable level of checking - if it isn't good enough for level 2, it will not happen.
By signing a key, I certify certain things about it. Most of this document deals with this. However, it is worth listing some of the things that I do not certify about any key that I sign. This list is not exhaustive.
Most of these points are because I will only certify facts that can be verified by myself. I do not certify anything that I would have to merely trust someone about.
I will expect all the keys that I sign to be present in the main PGP keyservers. If there is a really good reason why not, then I may accept a key that is emailed to me in ASCII-armoured format to sign.
To sign an OpenPGP key, first import it into your main public keyring, by running a command like:
help" will give you a list of the commands you can run. Use the "
uid" command to select the uids that you wish to sign, and then use the "
sign" command to sign the key. Finally, to save your changes and exit, use the "
When I sign keys, I will send updated versions of the key to the keyservers unless you tell me not to. I will also send you a copy of the ASCII-armoured representation of the newly-signed key.
To produce such an ASCII-armoured text representation, use a command like:
To send an updated key to the keyservers, use a command like: